9.

Lab: Interface Configuration

Lab Objectives
 Configure the firewall to handle traffic and place it in the network
 Make sure the proper Certificate Authority (CA) is on the firewall
 Configure SSL decryption rules
 Enable SSL decryption notification page (optional)
 Commit changes and test decryption.

9.1 Load or Generate CA Certificate in Firewall

A Certificate Authority (CA) is required to decrypt traffic properly by generating SSL certificates on
the fly. Create a self-signed CA on the firewall or import a Subordinate CA (from your own PKI
infrastructure). Select Forward Trust Certificate and then Forward Untrust Certificate on one or
more certificates to enable the firewall to decrypt traffic.

NOTE: Because SSL certificate providers such as Entrust, Verisign, DigiCert, and GoDaddy do not sell
CAs, they are not supported in SSL Decryption.

1. Select Device > Certificate.

2. Click to create a new certificate. The certificate configuration window opens.

3. Configure the following:

Parameter Value

Certificate Name SSL Trust Forward Certificate

Common Name Trust - Self - CA

Certificate Authority Check box - Please check the box. ( Self sign purpose )

Certificate Attributes Optional

4. Click OK to close the certificate configuration window.

5. Click to create a new Certificate. The Certificate configuration window opens.

6. Configure the following:

Parameter Value

Certificate Name SSL Untrust Forward Certificate

 Common Name Untrust - Self - CA

Certificate Authority Check box – Please check the box ( Self sign purpose )

Certificate Attributes Optional

7. Click OK to close the Certificate configuration window.

8. Open the certificate by clicking the name of the certificate “SSL Trust Forward
Certificate “ please check the box “ Forward Trust
Certificate “ and click Ok to close the certificate.

9. Open the certificate by clicking the name of the certificate “SSL Untrust
Forward Certificate “ please check the box “ Forward
Untrust Certificate “ and click Ok to close the
certificate.
9.2 Create Decryption Policy

The network administrator determines what needs to be decrypted. A few suggestions for
configuring SSL decryption rules:

Implement rules in a phased approach. Start with specific rules for decryption, and monitor the
typical number of SSL connections being decrypted by the device.

Avoid decrypting the following URL categories, as users may consider this an invasion of privacy:

a. Financial services
b. Health and medicine

Do not decrypt applications where the server requires client-side certificates (for identification).

10. Select Policy > Decryption > Pre -Rule

11. Click to define a Decryption policy rule.

12. Configure the following:

Parameter Value

Name Decrypt – ALL

Description Decrypt all traffic

 13. Click the Source tab and configure the following:

Parameter Value

Source Zone LAN

Source Address 192.168.x.0/24

14. Click the Destination tab and configure the following:

Parameter Value

Destination Zone WAN

Destination Address Any

15. Click the URL Category tab and verify that is selected.
16. Click the Service tab and verify that “ Service-https “ is selected.

17. Click the Options tab and verify the following:

Parameter Value

Action Decrypt

Type SSL Forward Proxy

Decryption Profile Default

18. Click OK to close the Decryption Policy Rule configuration window.

9.3 Create Interface Management Profiles

An Interface Management Profile protects the firewall from unauthorized access by defining the
services and IP addresses that a firewall interface permits. You can assign an Interface Management
Profile to Layer 3 Ethernet interfaces (including subinterface) and to logical interfaces (Aggregate,
VLAN, Loopback, and Tunnel interfaces).

1. Select Network > Network Profiles > Interface Mgmt.

2. Click to open the Interface Management Profile configuration window.

3. Configure the following:

Parameter Value

Name Ping – HTTPS-profile

Permitted Services
 4. Click OK to close the Interface Management Profile configuration window.

5. Select Network > Interface > Ethernet1/2 ( LAN Interface )

6. Click the Advanced tab.
7. Click the Management Profile drop-down list and select Ping – HTTPS-profile
8. Click OK to close the Ethernet Interface configuration window.
9. all changes.

9.4 Validation

1. Open a remote console of PC1 form VMware console

2. After login to PC1 with default username & password – open a browser login to
firewall webgui with help of LAN- Gateway IP “ https://192.168.x.x “

3. Login firewall Web GUI with admin credentials.

4. Select Device >Certificate

5. Select the certificate by clicking the check box “SSL Trust

Forward Certificate “ and choose the option export

certificate .
 6. Click OK to export the certificate .
7. Install the certificate in the PC Certificate store .
8. After successful installation of certificates in PC’s store please try to close all active
browser tabs.
9. After that try to access any website by checking the certificate it will be signed by
Trust-Self-CA.

Log Validation :-

Select Monitor > Logs > Traffic Logs

Firewall which is running with pan-os greater than or equal to 9.1 have separate log for Decryption
under Monitor tab.

Check the session id – show session id <> | able to see the proxy information for decrypted traffics

Stop. This is the end of the Interface Configuration lab